Home  |   Subscribe  |   Resources  |   Reprints  |   Writers' Guidelines

Web Exclusive

Get the Most Out of Your Secure File Transfer System
By Alan Gonsenhauser

Collaboration among hospitals and health networks, health plans, research institutions, and government agencies, as well as intradepartmental collaboration, is a mission-critical necessity. But the high-tech environment that’s been created to facilitate this collaboration and data exchange is often filled with security challenges. How can healthcare institutions ensure physician and patient data are kept secure? How can these organizations ensure efficient, timely, and safe collaboration with outside institutions?

Healthcare today depends on sharing protected health information (PHI) to drive clinical efficiencies and provide better patient care. Secure collaboration and intradepartmental PHI sharing extends from hospitals to practices, specialists, payers, pharmacies, labs, research institutions, and government.

Moreover, meeting federal and state governmental regulations and accelerating auditing to ensure PHI security has become a key priority. The federal government is providing financial incentives for healthcare entities to achieve meaningful use of EHRs. During this year’s annual HIMSS conference, the federal government announced a draft proposed rule for stage 2 meaningful use that includes this: “Conduct or review a security risk analysis in accordance with the requirements under 45 C.F.R. Section 164.308 (a) (1), including addressing the encryption/security of data at rest. (3) And implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process.”

Notwithstanding the clinical need to share PHI data along with government enforcement to protect them, the volume of data breaches and class action suits is embarrassingly commonplace. Why? The “2012 HIMSS Analytics Report: Security of Patient Data” said most facilities are too wrapped up in compliance issues to focus on keeping patient data protected. Also, commonly used technologies facilitating data exchange can be unsecure and inefficient. Historical methods to share PHI (eg, e-mail, FTP sites) were never designed as secure or encrypted, have file size limitations (e-mail servers), require significant staff time to implement (FTP), can be left in unsecure environments (physical media), and do not produce audit trails of user activity.

Sending PHI data via e-mail can also cause compliance issues with HIPAA. The act, which protects individuals’ PHI data, requires entities handling that information to ensure it is secure when stored, delivered, or shared. If an organization breaches HIPAA compliance, it is open to fines, public notification of the breach, and other penalties. To electronically secure medical information and patient records, they must be encrypted both at rest and in transit, sent only to authenticated recipients, and be able to demonstrate recall capabilities if misaddressed. Since e-mail doesn’t conform completely to these basic security parameters, sending medical information through it can lead to noncompliance concerns.

Thankfully, there’s now a better way to keep PHI secure, whether sharing or collaborating inside or outside the walls of a facility. Secure file transfer (SFT) technology can be simple for users and IT staff and provide automatic data encryption for PHI data in transit and at rest as well as automatic auditing, delivery confirmation, and user authentication.

Before acquiring an SFT system, the following are some questions to ask vendors:

• How simple is the SFT system for end users to learn, and how fast is adoption? Get references.

• Is data in transit and at rest automatically encrypted? Will encryption work seamlessly with the facility’s antivirus software?

• Are there any file size limitations? Does the solution depend on any exchange server file size limitations?

• Does the application seamlessly tie to existing information systems, such as Microsoft Outlook, and use active directory?

• Must the app be deployed in the DMZ (perimeter networking) or can it be split between network layers?

• How easy is it to audit user activity and files shared within the system?

• How does the facility add users outside the hospital walls, such as practices, payers, health information exchanges?

• Is the solution exclusively software and easily upgradeable?

• Are there extra charges for major release upgrades, or are they included in the service agreement?

• What are the mobile strategies and capabilities?

With today’s need to securely share PHI to promote better quality care, it’s time to reevaluate existing methods. Whether achieving compliance or meaningful use stage 2 incentives by encrypting PHI, driving staff efficiencies, securing collaboration, or auditing transactions, SFT software is superior to historical communications methods. It’s far easier and more secure. When considering SFT systems deployment for your entity to communicate PHI, the vendor-probing questions above will help you make the decision which makes the most sense for your healthcare institution.

— Alan Gonsenhauser is senior vice president and chief marketing officer at Biscom.